Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Mark Guertin <guertin@××××××××××××××.com>
To: Andrew Gaffney <agaffney@×××××××××××.com>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] tripwire-ish portage scanner
Date: Thu, 25 Mar 2004 20:14:23
Message-Id: E50A84FC-7E98-11D8-BBBC-000A95DC1AB2@brucemaudesign.com
In Reply to: Re: [gentoo-security] tripwire-ish portage scanner by Andrew Gaffney
1 On 25-Mar-04, at 3:03 PM, Andrew Gaffney wrote:
2
3 > Tom Hosiawa wrote:
4 >>> On Thu, Mar 25, 2004 at 12:46:25PM -0600, Andrew Gaffney wrote:
5 >>>
6 >>>> I've come up with a quick n' dirty Perl script to use portage's
7 >>>> MD5s in a tripwire fashion.
8 >>>>
9 >>>
10 >>> Didn't you know about qpkg? qpkg already does this, qpkg -c checks
11 >>> mtime
12 >>> and md5sum for all packages. With -v it will list the exact files
13 >>> that
14 >>> mismatch.. The only thing that's lacking is checking the integrity of
15 >>> the md5sums themselves with some kind of signature.
16 >>>
17 >>> Regards,
18 >>>
19 >>> Michel Wilson.
20 >> What about qpkq being compromised itself. As I understand it, in
21 >> tripwire, cryptographic keys are used for the policy file.
22 >> Couldn't an attacker mess around with which files qpkq scans?
23 >
24 > That's another good reason for a customer portage-integrated solution.
25 >
26
27 Well in theory any file on a machine could have been compromised
28 (including something built into portage). if you want to be absolutely
29 sure I would recommend having your scan tools on removable media and
30 not dependent on anything on the machine you are scanning, like a USB
31 flash drive on your keychain or the like. As always it depends on how
32 involved you want to get with things.
33
34 I wrote a little python script a while back that did pretty much the
35 same sort of stuff, but I abandoned it as there were a lot of files
36 that showed up in scans that most definitely weren't compromised ...
37 many of which for good reasons (i.e. a newer package updated the file,
38 user modifications, etc). To do it this way it would have to be more
39 than a simple script (taking into account duplicates, checking only
40 against the newest modification date on duplicates, giving users the
41 option to 'rescan' their files after they have made approved
42 modifications of them, etc), and I wasn't willing to put that much
43 effort into such script ;)
44
45 Mark
46
47
48
49 --
50 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] tripwire-ish portage scanner Jens Gutzeit <gentoo-security@×××××××.at>
Report Message
Find on MARC Find on Google Groups